Amazon being the world’s most customer-centric company only goes so far and may stop at Amazon Web Services (AWS). The ambition to build the “world’s most comprehensive and broadly adopted cloud platform” has seen missteps in the recent months. It started with a widespread, hours-long outage in early December affecting the central and eastern United States. AWS’s outage took major companies’ websites offline and disabled online services, including Netflix and Amazon’s Ring security cameras.
Soon another outage followed the high-profile disruption. And then a third outage rocked AWS users.
AWS system failures pose more than an inconvenience to users. It can result in customers finding themselves unable to access their own private data and information—and a big and unsuspected bill.
Insider recently published a report on the “supercharged” incentives for hackers to break into AWS customer accounts and use them to mine cryptocurrencies. The substantial amount of computing that goes into the mining results in unsuspecting customers being hit with bills that are hundreds of times higher than normal. Most of the examples that Insider reviewed were for AWS. They included bombshell $45,000 and $53,000 bills for customers used to paying $150 per month. It noted Google’s report that 86 percent of cloud account breaches were for cryptocurrency mining. Microsoft Azure did not respond.
This is not to suggest that all cryptocurrency mining on cloud platforms is suspect, however customers with no relation to cryptocurrency have been hacked by ruthless miners.
Reporting suggests that AWS customers were inconvenienced with high costs and lock in and that AWS hacking victims endured inconvenient and drawn-out response and support processes. AWS eventually agreed to waive one massive bill as a “one off exception,” and another customer is still awaiting a resolution after nearly two weeks after reporting the charges.
Insider details that the default response from AWS is to blame customers for practicing lax cybersecurity. An Amazon spokesperson said that AWS is “secure by default” and pointed to a policy that states that customers are responsible for security.
Recent events have shown that even AWS’s own security is less than perfect. A new attack on AWS, a Superglue Zero Day Attack, demonstrates that heralded sovereignty amongst AWS customer accounts was violated.
Rainy Day Recourse
Clients and end users are essentially powerless to prevent cloud outages. They can mitigate the problem by stretching their architecture across multiple geographic regions or using multiple providers—though it comes with increased cost and effort. This may be a non-starter for many AWS clients already facing expenses from lock in and runaway costs.
These problems and challenges have not escaped regulatory attention. Though an investigation began in the prior administration, the Federal Trade Commission has redoubled efforts against AWS. The European Data Protection Supervisor also started an investigation of the data protection practices of AWS and Azure, citing concerns that European Commission agencies use the platforms.
In 2020, a US House antitrust subcommittee report outlined the ways AWS bilks customers with fees and policies designed to keep them locked into the service. For example, AWS imposes an egress fee on customers who move data to another provider.
Customers informed the subcommittee that the fee comes off more as a deterrent from jumping to a competitor than as a true cost of service. They noted that the fee applies even when data is to remain within the same data center.
Due to these types of fee structures and policies, AWS customers would “incur significant time and expense” if they were to upgrade their cloud architectures in an attempt to mitigate harms from future AWS outages – a likely occurrence, possibly with even more widespread effects.
Outages, well-devised lock in, vulnerable cybersecurity, and escalating costs are among the problems that come with overreliance on the world’s largest cloud provider. AWS’s outages and the steps that customers can take as a bulwark against future instances underscore how the company’s high costs and its own system vulnerabilities intertwine.
The silent then explosive rise of cloud computing is an amazing story of corporate strategy and incremental innovation. Cloud leaders leveraged existing software platforms from B2C domains in ecommerce, search, and operating systems to the B2B market and then granular-lized enterprise cloud services for individuals. The cloud market now dominated by the superpowers of AWS, Google Cloud and Microsoft Azure—and the emergent Huawei—vexes policymakers. It makes a mockery for their calls for “vendor diversity” in downstream software and equipment. It is far easier to switch one’s broadband provider or the vendor of 5G infrastructure equipment that to switch cloud providers.
A key AWS value proposition is that customers should join its platform “to gain the control and confidence you need to securely run your business with the most flexible and secure cloud computing environment available today.” The reality is that while customers may gain some security advantages, they will be exposed to new risks for which they must take responsibility. “Caveat emptor” is as true today as ever. Don’t be ignorant of what you’re buying.